Striftime Error or Settings questions

hyungjoon · ‎12-17-2018

For some reason when I have Time as below, and use (| eval SortingTime=strftime(SortingTime, " %H:%M:%S") I always get exactly 1more hour to what I should get.

So if I use | eval SortingTime=strftime(SortingTime, " %H:%M:%S") , I would get 01:23:39 instead of 00:23:39 and same goes for everytime I try to use strftime, I always get an extra hour

I have 2 accounts. one account seems to get the right strftime but the other one always adds an extra hour to strftime. Is there something wrong with my settings???

harsmarvania57 · ‎12-17-2018

Do you have timezone specified for account in which you are getting +1 hour ?

Or try below query

<yourBaseSearch>
| eval SortingTime=tostring(SortingTime, "duration")

hyungjoon · ‎12-17-2018

yes I have timezone specified for both account but they are specified to the same timezone. I don't know why one would give me +1 hour while the other won't. Is there anyway I can fix this?

harsmarvania57 · ‎12-17-2018

If you would like to convert 1419.000000 into Duration then you need to use | eval SortingTime=tostring(SortingTime, "duration")

harsmarvania57 · ‎12-17-2018

If you would like to convert 1419.000000 into Duration then you need to use | eval SortingTime=tostring(SortingTime, "duration")

Striftime Error or Settings questions

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...